As IT departments battle trojans, viruses and worms, one particularly nasty critter is still finding myriad ways to slither onto enterprise PCs. Spyware, usually considered an annoyance of home users, has been showing up more often in the corporate world, and it is bad news for business users.
“For the most part, organizations are blind to it,” Forrester analyst Michael Rasmussen told the E-Commerce Times. “They focus on viruses and don’t think about the danger that spyware represents. Because of this, I think it’ll get worse before it gets better.”
What can companies do to defend themselves against this largely unseen scourge?
Spy vs. You
In a nutshell, spyware is defined as any technology that helps gather information about a person or organization without their knowledge. It can infiltrate a computer through a virus or, more often, as the result of a user’s decision to install a new program or download a file from the Internet.
Some spyware programs are relatively benign, used only to monitor people’sWeb surfing habits and send that information back to marketing companies. These particular programs are usually termed adware, and marketers are keen to distance them from their more malicious kin. Other types of spyware programs may be deliberately installed, often by bosses who want to make sure their employees are not wasting time.
The most dangerous form of spyware is the kind that invades a computer system, tracks users’ keystrokes and then delivers that data back to someone who wants to do harm. If keystrokes are recorded, for example, a spyware author could gain access to corporate passwords, credit card numbers, e-mails and other sensitive documents.
Rasmussen noted that this type of spyware is far more prevalent than enterprises may think. “The threats are very significant,” he said. “It’s a huge problem.”
Spy Network
Although spyware has been around for years, some analysts believe the problem is worsening.
Yankee Group senior analyst Eric Ogren told the E-Commerce Times that the spyware threat is growing because of the mobility of today’s workforce.
“Enterprises are extending their networks out, so you see laptops being hooked up to hotel networks and workers using their home PCs,” he said.
If security is lax for laptop machines and home networks, spyware can gain a foothold and begin recording data. As Ogren noted, “Companies aren’t doing as much as they should to stop this problem from spreading.”
Danger Ahead
Spyware, in its most pernicious form, constitutes more than an invasion of privacy. It puts a company at risk and could result in harsh penalties down the road for the victimized enterprise.
“Imagine that spyware gets onto the computer of a field agent of an insurance company,” Rasmussen said. “The program sends sensitive data back to its source. Now you’ve made all that data vulnerable, and you could have a class-action lawsuit on your hands.”
He added that companies that are regulated, such as banks and insurance firms, should be paying special attention to preventing spyware.
Michael Wood, vice president of sales at Lavasoft, which makes the widely popular Ad-Aware spyware removal program, told the E-Commerce Times that a particularly prevalent kind of spyware is called a “dialer.” This program changes a user’s dialing preferences, causing the user to run up dial-up phone bills of hundreds or even thousands of dollars.
Because dialers are not illegal, employees on the road who must dial in for Internet access could be vulnerable to this kind of intrusion.
Preventive Measures
Although companies are not doing as much as they could to stem the spyware tide, there are strategies for keeping damages low and banishing such programs from enterprise computers.
For starters, Lavasoft’s Ad-Aware scans for spyware and smokes it out of its hiding places. Wood said his company now is focusing more on enterprise customers and will continue to refine its product for that market. In the meantime, he suggested, some user education might not be out of place.
At the very least, informing users of the dangers of spyware makes them aware of the problem. Smaller companies can even encourage users to perform spyware checks themselves by visiting a site like PestPatrol.com, which offers free spyware scanning of individual computers.
“IT managers should make sure to tell users, again and again, not to open attachments unless they know they’re safe,” Wood said. “Also, in a company, the IT department should be given the power to eliminate the ability of users to install software on their machines.”
Bundling Benefits
Rasmussen noted that security heavyweights Symantec and Network Associates have been enhancing their product suites with anti-spyware components, which should cut down on the amount of software IT departments have to buy. Also, because complex security applications often have centralized control, an IT manager would not have to run from machine to machine when checking the status of the software.
“You don’t want to have to install anti-spyware programs along with doing patches and firewalls,” he said. “You want to pick one program that does everything fairly well. It’s too costly the other way.”
Loading ...
There’s another problem — although it’s not widespread yet. http://snurl.com/32fi
Much spyware comes with an EULA that’s clicked "yes, I agree." The infamous "Hotbar" has some egregious terms in its EULA, but people click right through.
Such spyware sources could claim legal rights in the case that someone portrays them as pernicious. "Let the user beware," and all that.
This is one reason I don’t anticipate seeing the antivirus people bolt anti-spyware modules into their products anytime soon. They’re safe as long as they deal with programs that are merely illegal to distribute (you foist a virus, it’s a crime). But I doubt they’ll start slandering legal programs that merely prey on folks who have neither technical intuition nor patience enough to read what they’re agreeing to when they install that software.
Spyware will fall to netadmins to deal with, and the tools that are out there now are pretty good. Killbits and cookie blocks, per ad-aware, spybot and spywareblaster, are the ticket.
It’ll take some legal hassles before this is all sorted out, I’m sure. It may be that companies that kill spyware might have to in principle be capable of blocking any software whatsoever, just to prove that they’re being even-handed. In that case, anti-spyware software might be more in the category of license metering and control software than of antivirus software — allowing the user total control. But with 472 killbits currently at large in the major antispyware innoculators, how’s an end user going to make policy decisions without categories? And then you end up with the same problem — the spywarers will sue if you pigeonhole them as undesirable.
Perhaps the policy would need to work like this: all the features that matter for the purposes of spyware are enumerated for all software the system allows control of. These would be factual, not judgmental, categories. "periodically sends browsing data to vendor," "uses cookies beyond site scope," whatever. The end user then decides which categories to toast, and whether inclusion in any other categories might trump exclusion base on others, and so forth.
Blah, blah, blah.